From: Jouni Malinen <j@w1.fi>
Date: Sat, 14 Mar 2015 11:50:12 +0000 (+0200)
Subject: Fix bitfield_get_first_zero() to not read beyond buffer
X-Git-Tag: hostap_2_4~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=319d9daab9bb12f9cd69f7d18bdcead32e482fc8;p=thirdparty%2Fhostap.git

Fix bitfield_get_first_zero() to not read beyond buffer

It was possible for bitfield_get_first_zero() to read one octet beyond
the allocated bit buffer in case the first zero bit was not within
size-1 first octets.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/utils/bitfield.c b/src/utils/bitfield.c
index f90e4beb6..8dcec3907 100644
--- a/src/utils/bitfield.c
+++ b/src/utils/bitfield.c
@@ -76,11 +76,11 @@ static int first_zero(u8 val)
 int bitfield_get_first_zero(struct bitfield *bf)
 {
 	size_t i;
-	for (i = 0; i <= (bf->max_bits + 7) / 8; i++) {
+	for (i = 0; i < (bf->max_bits + 7) / 8; i++) {
 		if (bf->bits[i] != 0xff)
 			break;
 	}
-	if (i > (bf->max_bits + 7) / 8)
+	if (i == (bf->max_bits + 7) / 8)
 		return -1;
 	i = i * 8 + first_zero(bf->bits[i]);
 	if (i >= bf->max_bits)